TL;DR - What are you running as a means of “antivirus” on Linux servers?
I have a few small Debian 12 servers running my services and would like to enhance my security posture. Some services are exposed to the internet and I’ve done quite a few things to protect the services and the hosts. When it comes to “antivirus”, I was looking at ClamAV as it seemed to be the most recommended. However, when I read the documentation, it stated that the recommended RAM was at least 2-4 gigs. Some of my servers have more power than other but some do not meet this requirement. The lower powered hosts are rpi3s and some Lenovo tinys.
When I searched for alternatives, I came across rkhunter and chrootkit, but they seem to no longer be maintained as their latest release was several years ago.
If possible, I’d like to run the same software across all my servers for simplicity and uniformity.
If you have a similar setup, what are you running? Any other recommendations?
P.S. if you are of the mindset that Linux doesn’t need this kind of protection then fine, that’s your belief, not mine. So please just skip this post.
The core problem with this approach is that antivirus scanning is generally based on signature recognition of malicious binaries. Behavior-based antivirus scanning mostly doesn't work and tends to generate a lot of false positives. No freely available antivirus is going to have a signature library that is kept up to date enough to be worth the effort of running it on Linux - most vulnerabilities are going to be patched long before a free service gets around to creating a signature for malware that exploits those vulnerabilities, at which point the signature would be moot. If you want antivirus that is kept up to date on a weekly or better basis, you're going to have to pay for a professional service.
That said, there are other, simpler (and probably more effective) options for hardening your systems:
Firewall - if your servers are dedicated to specific services and you don't plan on adding many more applications, you should be able to tighten up their firewalls to have only the ports they need open and nothing else. If network security is a priority, you should start with this.
Application Whitelisting - prevent unrecognized applications from running. There are more options for this on Windows (including the builtin Applocker), but there are some AWL options for Linux. It's a lot easier to recognize the things that you do want to run than all of the things that you don't want to run.
Secure OS - I assume you're using Debian because it's familiar, but it is a general-purpose OS with a broad scope. Consider switching to a more stripped-down variant like Alpine Linux (it can be installed on a Pi).
The firewall point I just don't get. When I set up a server, for every port I either run a service and it is open, or I don't and it is closed. That's it. What should the firewall block?
A malware might create a service which opens a previously closed port on your system. An independently configured firewall would keep the port closed, even if the service was running without your knowledge, hopefully blocking whatever activity the malware was trying to do.
Also, you can configure the firewall to drop packets coming in to closed ports, rather than responding to the sending device that the port is closed. This effectively black-holes the incoming traffic, so it looks like there's just nothing there.
If an attacker already has access to a system, they can use hitherto closed ports to communicate with C2 servers or attack other devices. In that case, a firewall that only allows known-good traffic will prevent further damage.
You can set up an intrusion detection/prevention system, that logs/blocks certain traffic. If you do have public services running, you could block access based on location, lists of known bad actors etc. I guess you could argue that this is beyond the scope of a traditional firewall.
I don't use a firewall apart from router, but if you set a firewall in all of your devices, the chances of one of them getting infected and spreading it to the others via LAN would be low theoretically.
A modern firewall might also block connections to known bad sites, in case you do somehow get malware reaching out to a command & control server. Or it might identify malicious application traffic over a port that should be for a more trustworthy service.
But these are usually only a concern in places like businesses or schools where there are a lot more people, devices, etc. on the network, especially if there's a guest network.
I think you’re about to find out that the “belief” that Linux doesn’t need antivirus isn’t just held by everyone in this community, it’s held by the whole Linux community. Hence there being no active projects in the space.
Heck you almost don’t need any antivirus in windows anymore. Just windows defender and half a brain when it comes to what you download.
Many security experts I know consider AV software to be snake oil. I do so too. They are so complex and need so far reaching permissions to be somewhat effective, that they become the attack vector and/or a large risk factor for faulty behavior.
Add in lots of false positives and it just numbs the users to the alerts.
Nothing beats educating users and making sure the software in use isn't braindead. For example Microsoft programs that hide file extensions by default is a far bigger security problem than a missing AV tool. Or word processors that allow embedded scripts that can perform shit outside the application. The list goes on ...
Well that's just not fair. Snake oil doesn't get auto updated by the vendor, and then lock my production processes and cause an outage. I'd take a bottle of snake oil any day over Symantec.
I don't really understand that belief. There is plenty of Linux malware especially targeting servers, you just need to have an unsecure service running to find that out
I have been using linux for almost 2 decades, never seen a virus. And I never heard of a colleague or friend who got one on Linux. That's why no one has ever installed an antivirus, because, till now, the risk has been practically zero.
On windows, on the other hand, I saw so many viruses on friends and relatives computers...
People install antiviruses depending on the experience.
To be fair, we all know on Linux viruses exist, but is objectively pretty difficult to get one. It is not worth installing an antivirus if one doesn't actively install garbage from untrusted sources
What happens in the Windows world: Microsoft is not capable of creating and distributing a patch timely. Or they wait for "patch day", the made up nonsense reason to delay patches for nothing. Also since Windows has no sensible means of keeping software up to date, the user itself has to constantly update every single thing, with varying diligence. Hence Antivirus: there is so much time between a virus becoming known and actual patches landing on windows, that antivirus vendors can easily implement and distribute code that recognizes that virus in the meantime.
What happens in the linux world: a patch is delivered often in a matter of hours, usually even before news outlets get to report about the vulnerability.
I'm a senior Linux/Kubernetes sysadmin, so I deal with system security a lot.
I don't run ClamAV on any of my servers, and there's much more important ways to secure your server than to look for Windows viruses.
If you're not already running your servers in Docker, you should. Its extremely useful for automating deployment and updates, and also sets a baseline for isolation and security that you should follow. By running all your services in docker containers, you always know that all of your subcomponents are up to date, and you can update them much faster and easier. You also get the piece of mind knowing, that even if one container is compromised by an attacker, it's very hard for them to compromise the rest of the system.
Owasp has published a top 10 security measures that you can do once you've set up Docker.
Hey, kinda off topic but what's the best way to get into a Linux/Kubernetes admin role? I've got a degree in networking, several years of helpdesk experience and I'm currently working as an implementation specialist.
Is that something I could simply upskill and slide into or are there specific certs that will blow the doors open for new opportunities?
Sure! I got my start with this sort of tech, just running docker containers on my home server for running stuff like nextcloud and game servers. I did tech support for a more traditional web hosting MSP for a while, and then I ended up getting hired as a DevOps trainee for a internal platform team doing Kubernetes. I did some Kubernetes consulting after that and got really experienced with the tech.
I would say to try running some Docker containers and learn the pros and cons with them, and then I would say to start studying for the CKAD certification. The CKAD cert is pretty comprehensive and it'll show you how to run docker containers in production with Kubernetes. Kind is a great way to get a Kubernetes cluster running on your laptop. For more long term clusters, you can play around with k3s on-prem, or otherwise, I would recommend Digital Ocean's managed Kubernetes. Look into ArgoCD once you want to get serious about running Kubernetes in production.
I think with a CKAD cert you can land a Kubernetes job pretty easily.
I would probably only recommend the CKA cert on the path to CKS. CKA gets into a lot of the nitty gritty of running a kubernetes cluster, that I think most small-to-medium companies would probably skip and just run a managed solution.
Kubernetes has a steep learning curve, since you need to understand Operations top-to-bottom to start using it, but once you have it in your tool belt, it gives you endless power and flexibility when it comes to IT Operations.
This is pretty much what I have setup. I’m not logging to a separate server but I do have other things setup like fail2ban, changes default ports, secrets management, etc. Good resource tho
Behavior-based antivirus is extremely difficult, failure-prone, and almost entirely unnecessary because of how secure Linux is, so they don't exist to my knowledge. Signature-based antivirus is basically useless because any security holes exploited by a virus are patched upstream rather than waiting for an antivirus to block it. ClamAV focuses on Windows viruses, not Linux ones, so it can be a signature-based antivirus, but not many people run an email server accessed by Windows devices or other similar services that require ClamAV, so not many people use it, and nobody made any alternatives.
If you're worried about security, focus on hardening and updates, not antiviruses.
Okay, I think we can wrap this up: OP started with "I don't want to be convinced of the predominant oppinion about security" and kept their word.
OP: You got your answer. There is no alternative to ClamAV. ClamAV is open source so it will always be slower than apt update in fixing vulnerabilities.
You can wonder why the whole community that created tons and tons of cool shit for Linux with armies of talented people with way more IT knowledge than all of us combined didn't dedicate their time to Viruses. You can ask yourself how a virus would even get on your server... or you can not. Your choice. But the answer is: There is no alternative to ClamAV and ClamAV is set up mainly to detect Windows-Viruses that get spread by Mail-Attachments and the like.
I also use ClamAV, but only in specific circumstances, such as when a Linux server will be hosting end-user files. Perhaps a SAMBA server with a file share, or a web server which accepts user uploads.
In those cases, I might want to have it monitor the relevant part of the disk, but I also need to make sure my web application won't fall over when the file it just accepted is unceremoniously ripped away from it. You can test that out using the EICAR file as your payload.
On a jump box, I might also have it turned on for scanning user home directories, by including /home, and then excluding any home directories for applications and daemons which might not deal well with having their IOPS nuked or delayed.
I would recommend just setting up iptables & crowdsec. Open only the ports your services need, and add the relevant plugins to crowdsec. Nothing should come through.
If you have services that allow people to upload files, that's a different story.
You're likely doing security wrong. But I'm keeping relatively quiet, as requested.
Please read up on how to set a partition noexec, use AppArmor, firewall, how to keep things patched, hardened and actual security measures if you want to protect the server. Also make sure not only fail2ban is working but every login on exposed software on that server is protected against brute force. ClamAV and similar are to protect your windows clients of your mail and storage server. They will not help with linux viruses. And you got to protect your servers against security vulnerabilities, not malware. The server won't randomly execute an executable file on its harddrive on its own. Think about how did that malware get there in the first place. And why is the file executable... Don't be offended, you can install whatever you want, including ClamAV, just make sure you did the 95% of protection first if security is your concern.
That's what modern endpoint security is, really. Traditional AV is dead. There are far too many people making malware for file signatures or heuristics to keep up. Instead, you want to look for behavior on the system and on the network. For example, if a program starts reading every file it can find on the network, and changing then from their current formats to unreadable blobs, that's probably ransomware and should be stopped. Plain old AV probably won't catch it on the client because of how frequently it gets modified (plus all the various evasion techniques), nor on the server because nothing unusual is running on the server.
I am not a expert in Linux, and I mostly rely on very strong passwords. I also discovered recently basic stuff like changing the default SSH port. Anyone knows of implementation of 2FA on Linux?
Changing the default porta is security through obscurity, which is not security but just a waste of time. Don't rely on attackers "maybe not finding stuff" but rely on your stuff being secure, even if someone had all information about your network and system architecture.
For 2fa, the other commenter mentioned yubikey pam modules. Those are probably useful, but if you want to secure your ssh server, the best solution is to use ssh keys and disable password login. I can really recommend that as its one of the few things in security that improves both usability and security.
If at all possible, do not expose things like ssh, RDP, etc to the internet. Use traditional VPN or something like tail scale. Just because ssh is on a different port than normal doesnt mean an attacker couldn't figure out that your running ssh on port 335.
There are none.
ClamAV is the only one there is, because it has a very specific and narrow purpose.
There are no viruses for Linux.
Chrootkit and rkhunter are also built for very specific things (detecting rootkits - or making them) and are not designed to protect, they are designed to analyse.
My writing here also isn't specifically to OP, but to all others that may find this thread - Anti Virus for Linux is BS and unless you are running SMB and still have lots of Windows in your network, it's absolutely not needed, especially if you follow the basics (like not doing stuff as root, using sudo and not giving out any system rights).
...some Linux machines definitely need anti-virus software. Samba or NFS servers, for instance, may store documents in undocumented, vulnerable Microsoft formats, such as Word and Excel, that contain and propagate viruses. Linux mail servers should run AV software in order to neutralize viruses before they show up in the mailboxes of Outlook and Outlook Express users.[
Which is exactly what I said. ClamAV serves a very specific purpose and that's this one.
There are still no viruses for Linux specifically designed to break in to Linux, because it's not possible.